From 72d479cd3b443301da3607ba53bde2a8ed22035d Mon Sep 17 00:00:00 2001
From: Jens Troeger <jens.troeger@light-speed.de>
Date: Tue, 23 May 2023 17:45:07 +1000
Subject: [PATCH 1/4] fix(deps): temporarily pin typing-extensions deps, to
 avoid breaking the sphinxnotes-markdown-builder package

---
 pyproject.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pyproject.toml b/pyproject.toml
index 5e826b96..372bbf66 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -51,6 +51,7 @@ dev = [
 docs = [
     "sphinx >=5.1.1,<8.0.0",
     "sphinxnotes-markdown-builder >=0.5.6,<1.0.0",
+    "typing-extensions <4.6.0",  # markdown-builder uses pydash: https://github.com/dgilland/pydash/issues/197
 ]
 hooks = [
     "pre-commit >=2.18.0,<3.4.0",

From deb534cd0394e9071ad18ec221f5062a54ff2d43 Mon Sep 17 00:00:00 2001
From: Jens Troeger <jens.troeger@light-speed.de>
Date: Tue, 23 May 2023 17:24:11 +1000
Subject: [PATCH 2/4] feat(ci): use a Github Repository Variable
 `PIP_AUDIT_PACKAGES` to control running `pip-audit` in CI

---
 .github/workflows/_build.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
index d6411b5d..446ed5e5 100644
--- a/.github/workflows/_build.yaml
+++ b/.github/workflows/_build.yaml
@@ -73,8 +73,10 @@ jobs:
     - name: Install dependencies
       run: make setup
 
-    # Audit all currently installed packages for security vulnerabilities.
+    # Audit all currently installed packages for security vulnerabilities. This step can
+    # be disabled by setting the repository variable DISABLE_PIP_AUDIT to 'true'.
     - name: Audit installed packages
+      if: ${{ vars.DISABLE_PIP_AUDIT != 'true' }}
       run: make audit
 
     # Build the sdist and wheel distribution of the package and docs as a zip file.

From defdd1df8289c6726e3cd3eac5cd7d030132de1a Mon Sep 17 00:00:00 2001
From: Jens Troeger <jens.troeger@light-speed.de>
Date: Tue, 23 May 2023 18:53:42 +1000
Subject: [PATCH 3/4] chore: use a `disable_pip_audit` input argument for the
 _build.yaml reusable workflow to impose a type on the value and support repo
 security analysis

---
 .github/workflows/_build.yaml        | 6 +++++-
 .github/workflows/pr-change-set.yaml | 2 ++
 .github/workflows/release.yaml       | 4 ++++
 README.md                            | 2 +-
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
index 446ed5e5..ab6d14ec 100644
--- a/.github/workflows/_build.yaml
+++ b/.github/workflows/_build.yaml
@@ -22,6 +22,10 @@
 name: Build the package
 on:
   workflow_call:
+    inputs:
+      disable_pip_audit:
+        required: true
+        type: boolean
     outputs:
       artifacts-sha256:
         description: The hash of the artifacts
@@ -76,7 +80,7 @@ jobs:
     # Audit all currently installed packages for security vulnerabilities. This step can
     # be disabled by setting the repository variable DISABLE_PIP_AUDIT to 'true'.
     - name: Audit installed packages
-      if: ${{ vars.DISABLE_PIP_AUDIT != 'true' }}
+      if: ${{ !inputs.disable_pip_audit }}
       run: make audit
 
     # Build the sdist and wheel distribution of the package and docs as a zip file.
diff --git a/.github/workflows/pr-change-set.yaml b/.github/workflows/pr-change-set.yaml
index 3d86754e..8bfc3748 100644
--- a/.github/workflows/pr-change-set.yaml
+++ b/.github/workflows/pr-change-set.yaml
@@ -18,3 +18,5 @@ jobs:
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read
+    with:
+      disable_pip_audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index e6188627..88577cdf 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -23,6 +23,8 @@ jobs:
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read
+    with:
+      disable_pip_audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}
 
   # On pushes to the 'main' branch create a new release by bumping the version
   # and generating a change log. That's the new bump commit and associated tag.
@@ -79,6 +81,8 @@ jobs:
     uses: ./.github/workflows/_build.yaml
     permissions:
       contents: read
+    with:
+      disable_pip_audit: ${{ vars.DISABLE_PIP_AUDIT == 'true' }}
 
   # Create a new Release on Github from the verified build artifacts, and optionally
   # publish the artifacts to a PyPI server.
diff --git a/README.md b/README.md
index b41eec36..394b45c1 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,7 @@ Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/
 
 [OSSF Security Scorecards](https://github.com/ossf/scorecard) is enabled as a GitHub Actions workflow to give the consumers information about the supply-chain security posture of this project, assigning a score of 0–10. We upload the results as a SARIF (Static Analysis Results Interchange Format) artifact after each run and the results can be found at the Security tab of this GitHub project. We also allow publishing the data at [OpenSSF](https://metrics.openssf.org/). We use this data to continuously improve the security posture of this project. Note that this configuration supports the ``main`` (default) branch and requires the repository to be public and not forked.
 
-[pip-audit](https://github.com/pypa/pip-audit) is part of the default Python virtual environment, and can be used to check all installed packages for documented [CVE](https://www.cve.org/) by querying the [Python Packaging Advisory Database](https://github.com/pypa/advisory-database). The `build.yaml` workflow always runs a package audit before the artifacts are being built.
+[pip-audit](https://github.com/pypa/pip-audit) is part of the default Python virtual environment, and can be used to check all installed packages for documented [CVE](https://www.cve.org/) by querying the [Python Packaging Advisory Database](https://github.com/pypa/advisory-database). The `_build.yaml` workflow always runs a package audit before the artifacts are being built. In automated production environments it _may_, on rare occasions, be necessary to suspend package auditing in which case  you can [add a repository variable](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository) `DISABLE_PIP_AUDIT` with value `true` to your repository to explicitly disable running pip-audit.
 
 ### Package or application?
 

From 70c34e6783c16009d4aec43eb23325db5e71f376 Mon Sep 17 00:00:00 2001
From: Jens Troeger <jens.troeger@light-speed.de>
Date: Tue, 23 May 2023 19:02:25 +1000
Subject: [PATCH 4/4] chore: fine, so there

---
 .github/workflows/_build.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
index ab6d14ec..25232d3b 100644
--- a/.github/workflows/_build.yaml
+++ b/.github/workflows/_build.yaml
@@ -26,6 +26,7 @@ on:
       disable_pip_audit:
         required: true
         type: boolean
+        description: Enable or disable running pip_audit to check installed packages for vulnerabilities
     outputs:
       artifacts-sha256:
         description: The hash of the artifacts